From Test 5 it is clear that application is Just Verifying Origin By Checking If it Ends with redacted.com

(ACAH) Along with Different Methods are Also Enabled , This Means Attacker Can Make different Request’s Behalf of the Victim .

To Successfully Exploit this We Need *redacted.com domain

So , I Went to Bought it kiraakredacted.com to exploit it

Exploitation :

Now it’s time to find Good Exploitation Endpoint to demonstrate & Increase the Impact.There was nothing much on connect.redacted.com to exploit just like static site asking to install their browser extension .

But one thing kept my MINDSET to find some exploitation path is that to install that extension you need to be logged in . I doubted they were storing some information somewhere . So I Started bruteforcing , Reading docs for API Endpoints . And came across https://connect.redacted.com/v1/userwhich contain’s the user detail’s along with SESSIONID in json response .

A collection of write-ups from the best hackers in the world on topics ranging from bug bounties and CTFs to vulnhub machines, hardware challenges and real life encounters. In a nutshell, we are the largest InfoSec publication on Medium. #sharingiscaring

Never miss a story from InfoSec Write-ups, when you sign up for Medium. Learn more